[Calypso] [PATCH] Use bcrypt password encryption by default

Guido Günther agx at sigxcpu.org
Sat Apr 8 14:58:03 PDT 2017 

all other htpasswd based types are bad because they're either
weak or unsalted.
---
 README                  |  4 ++--
 calypso/acl/htpasswd.py | 14 ++++++++++++++
 calypso/config.py       |  2 +-
 config                  |  4 ++--
 requirements.txt        |  1 +
 5 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/README b/README
index 398e000..c63a547 100644
--- a/README
+++ b/README
@@ -19,7 +19,7 @@ key=/etc/ssl/private/ssl-cert-snakeoil.pem
 
 [acl]
 type=htpasswd
-encryption=sha1
+encryption=bcrypt
 filename=$HOME/.config/calypso/htpasswd
 EOF
 
@@ -40,7 +40,7 @@ Creating users and calendars
 
 To add a new user:
 
-$ htpasswd -s $HOME/.config/calypso/htpasswd USER
+$ htpasswd -B $HOME/.config/calypso/htpasswd USER
 
 To add a new database:
 
diff --git a/calypso/acl/htpasswd.py b/calypso/acl/htpasswd.py
index 89e5ba5..2569778 100644
--- a/calypso/acl/htpasswd.py
+++ b/calypso/acl/htpasswd.py
@@ -31,6 +31,11 @@ import base64
 import hashlib
 import os.path
 import logging
+try:
+    import bcrypt
+    have_bcrypt = True
+except ImportError:
+    have_bcrypt = False
 
 from calypso import config
 
@@ -57,6 +62,15 @@ def _sha1(hash_value, password):
     return sha1.digest() == base64.b64decode(hash_value)
 
 
+def _bcrypt(hash_value, password):
+    if have_bcrypt:
+        password = password.encode(config.get("encoding", "stock"))
+        return bcrypt.hashpw(password, hash_value) == hash_value
+    else:
+        log.error("Bcrypt module is missing, cannot authenticate")
+        return False
+
+
 def has_right(owner, user, password):
     """Check if ``user``/``password`` couple is valid."""
     log.debug("owner '%s' user '%s'", owner, user)
diff --git a/calypso/config.py b/calypso/config.py
index 0c3fee9..4ce945d 100644
--- a/calypso/config.py
+++ b/calypso/config.py
@@ -56,7 +56,7 @@ INITIAL_CONFIG = {
         "type": "fake",
         "personal": "False",
         "filename": "/etc/calypso/users",
-        "encryption": "crypt",
+        "encryption": "bcrypt",
         "pam_service": "passwd",
     },
     "storage": {
diff --git a/config b/config
index 780003a..c3c6973 100644
--- a/config
+++ b/config
@@ -41,8 +41,8 @@ personal = False
 # Htpasswd filename (if needed)
 filename = /etc/calypso/users
 # Htpasswd encryption method (if needed)
-# Value: plain | sha1 | crypt
-encryption = crypt
+# Value: plain | sha1 | crypt | bcrypt
+encryption = bcrypt
 # PAM service to use for authentication
 # pam_service = passwd
 
diff --git a/requirements.txt b/requirements.txt
index 613c087..be2a754 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,2 +1,3 @@
 python-daemon==2.1.1
 vobject==0.9.4.1
+bcrypt==3.1.2
-- 
2.11.0

More information about the Calypso mailing list